fix(sandbox): harden seccomp, inference routing, and process limits#869
Merged
johntmyers merged 4 commits intomainfrom Apr 17, 2026
Merged
fix(sandbox): harden seccomp, inference routing, and process limits#869johntmyers merged 4 commits intomainfrom
johntmyers merged 4 commits intomainfrom
Conversation
Move AF_NETLINK to the unconditional socket-domain block list alongside AF_PACKET, AF_BLUETOOTH, and AF_VSOCK. Previously it was only blocked in NetworkMode::Block, leaving it accessible in Proxy mode where network namespace isolation already scopes netlink to the sandbox's own veth — making this a defense-in-depth hardening rather than a live exposure. Closes OS-94
The pre-OPA interception for inference.local matched on hostname alone,
allowing any port to bypass OPA policy evaluation — including under
deny-all (network_policies: {}). Add a port check so only port 443
takes the interception path; all other ports on inference.local now
fall through to OPA and are subject to normal policy evaluation.
Closes OS-95
Set a hard limit of 512 processes per UID in harden_child_process(), applied before privilege drop so the sandbox user cannot raise it. Prevents unrestricted fork() from exhausting the process table — most relevant for local dev mode where K8s pod cgroup pids.max is absent. Closes OS-96
drew
approved these changes
Apr 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three defense-in-depth fixes for sandbox security controls, addressing findings from a 2026-04-16 security assessment. Each fix is a separate commit.
NetworkMode::Block, now blocked in all modes alongside AF_PACKET/AF_BLUETOOTH/AF_VSOCK. Impact was informational (network namespace already scopes netlink to sandbox's own veth), but closes the gap.inference.localpre-OPA interception to port 443 only — the hostname-only check atproxy.rs:357allowed any port to bypass OPA policy evaluation, including under deny-all. Non-443 ports now fall through to OPA.RLIMIT_NPROC(hard limit 512) inharden_child_process()— prevents fork bomb process exhaustion, most relevant for local dev mode where K8s pod cgrouppids.maxis absent.Related Issues
Closes OS-93, OS-94, OS-95, OS-96
Changes
crates/openshell-sandbox/src/sandbox/linux/seccomp.rs— move AF_NETLINK to unconditional block listcrates/openshell-sandbox/src/proxy.rs— addINFERENCE_LOCAL_PORTconstant and port check to inference interception conditioncrates/openshell-sandbox/src/process.rs— addRLIMIT_NPROChard limit of 512 before privilege dropTesting
cargo check -p openshell-sandbox— compiles clean (no new warnings)mise run pre-commit— lint and formatmise run test— unit testsmise run e2e— end-to-end validation of deny-all + inference routing + fork limit